Blue Pill threat dead? … That's wishful thinking

Joanna Rutkowska, the renowned rootkit researcher at Invisible Things Lab based in Poland, has ignited keen interest in virtualization-based malware with her creation called Blue Pill. Last year at the Black Hat conference she gave a presentation on Blue Pill, and at last week’s Black Hat 2007, she announced she is making the New Blue Pill, which, among other things, can run tens of Blue Pills inside each other, available for research purposes.

Taking up the challenge to try and detect stealthy rootkits, researchers from Symantec, Root Lab, and Matasano, which gave their own presentation at Black Hat entitled “Don’t Tell Joanna, the Virtualized Rootkit is Dead,” are aiming to prove they can detect Blue Pill and any other virtualized rootkit with software they’ve collaborated on called Samsara. But no one is declaring victory yet in detecting Blue Pill. In the following essay, Rutkowska shares some observations about things not easily seen. --  Ellen Messmer

By Joanna Rutkowska, Invisible Things Lab

Since the Black Hat conference last year, when I presented the first hardware virtualization-based malware, code-named “Blue Pill,” the amazing debate has been going on. Several security researchers decided to prove that the virtualization malware threat is non-existent. Some went even as far as to announce that the “virtualized rootkit is dead. Interestingly, none of those researchers have presented any solution to be used for either virtualization malware prevention or detection.

First, it turned out that the “blue pill killers” confused virtualization detection with virtualization rootkits detection. Wait a second – but isn’t that the same thing, you might ask? After all, virtualization-based rootkits need to make use of virtualization, so by detecting (unexpected) virtualization we detect the virtualization-based malware as well, right? Well, not quite – it’s a bit like saying that every program that makes use of networking is a botnet agent, just because botnet agents need to use networking.

As hardware virtualization technology gets more and more widespread, many machines will be running with virtualization mode enabled, both servers and desktops, no matter whether “bluepilled” or not. In that case, blue pill-like malware will not need to take any special efforts to pretend that virtualization is not enabled, as it’s actually expected that virtualization is being used for some legitimate purposes. This means the rootkit code can be greatly simplified.

Using a "blue pill detector" that in fact is just a generic virtualization detector is thus completely pointless here.

Obviously, in such scenarios, blue pill-like malware must support nested hypervisors. And this is what we have implemented in our New Blue Pill proof of concept and presented at the recent Black Hat conference.

We can run tens of blue pills inside each other and they all work and each of them thinks that it’s the real hypervisor! You can actually try it at home, as we decided to make the source code for the New Blue Pill publicly available. We still fail at running Virtual PC 2007 (the only Windows product we found so far that makes use of hardware virtualization) as a nested hypervisor but we hope to have this fixed in the coming weeks. By the way, please note that Virtual PC hypervisor doesn’t block Blue Pill from loading.